A reverse proxy or surrogate often uses browser cookies to identify user sessions that originate from a remote browser application. Thus, when a user initiates a secure sockets layer (SSL) communication session with a browser application, mutual SSL authentication is not necessarily used. Instead, other methods of authentication may be implemented, such as anonymous authentication to a Lightweight Directory Access Protocol (LDAP) directory. When this occurs, the proxy associates further communication from that particular browser based on the browser cookies, which are used to enforce user policies for authorization purposes.
However, if the browser cookies are compromised in some way, then the user's credentials have essentially been lost for whatever period of time the original authentication remains valid. A Trojan (e.g., malicious software masquerading as a useful application) might be running on the anonymous user's workstation, operating to steal browser cookies and pass them on to malicious users. This activity can thus lead to establishing unwanted SSL sessions connected to sources sponsored by malicious users on behalf of the original authenticated user.
For example, when a legitimate user first attempts to access a Hypertext Transfer Protocol (HTTP) reverse proxy node, SSL communication may be established without enforcing mutual X.509 certificate authentication. After the SSL keys are created, the legitimate user provides credentials for authentication. At the end of the authentication process, the reverse proxy node sets a secure cookie at the browser associated with the legitimate user. All further requests for data access to the reverse proxy node will use this cookie as a session identifier to pass through to the reverse proxy node.
A Trojan running on the workstation of the legitimate user can pass the cookie to a man-in-the-middle (MITM), which might well be a malicious user. The MITM, in turn, can establish an SSL session by using the cookie as a passport to the reverse proxy node. This fraudulent session can be established by the MITM using the same process as that used by the legitimate user, using the stolen cookie to negate the effect of any security provided by authenticating the legitimate user on the reverse proxy node.